In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.
We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.
Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at angrywirelessguy.wordpress.com.
Wi-Fi Network Access Control
The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:
- Offer different access and level of security for different type of users & devices
- Enable easy & secure BYOD
- Segment the Wi-Fi network so guest traffic is isolated
- Make the user experience is easier
The WHAT: What are the solutions to meet these requirements?
- SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
- SSID for guest
- Profiling
The HOW: How do we implement it? What do we need to make it happen?
- NAC server
- Certificate PKI
We talked about the most common EAP methods used today.
What is coming next? What can we expect seeing in these NAC solutions in the near future?
Resources
Links to ISE documentation:
- ISE community: https://communities.cisco.com/community/technology/security/pa/ise
- ISE Demo videos: https://communities.cisco.com/docs/DOC-63878
- ISE YouTube Channel: https://www.youtube.com/user/CiscoISE/playlists
Links to ClearPass documentation:
- ClearPass Documentation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6864/Default.aspx
- ClearPass Demo (require credentials): https://clearpass.arubademo.net/tips/tipsLogin.action
Upcoming Episode on Wi-Fi Issue
Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.
This Week In Wireless
Cisco – New AireOS version – released the 8.3.111.0
Adaptive 802.11r
802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.
Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.
This feature is supported on the following Wave2 APs:
- Cisco Aironet 1560 Series APs
- Cisco Aironet 1800 Series APs
- Cisco Aironet 2800 Series APs
- Cisco Aironet 3800 Series APs
QoS Fastlane
QoS Fastlane simplifies the application traffic prioritization process so that network congestion is minimized and time sensitive traffic (like voice or video) is delivered on time.
To choose which iOS apps have their traffic prioritized by QoS Fastlane, configure the network with a configuration profile.
This feature support now extends to the following Cisco APs:
- Cisco Aironet 1560 Series APs
- Cisco Aironet 1800 Series APs
- Cisco Aironet 2800 Series APs
- Cisco Aironet 3800 Series APs
Temporal Key Integrity Protocol (TKIP) Support
TKIP security protocol option is supported on the following Cisco APs:
- Cisco Aironet 1560 Series APs
- Cisco Aironet 1810 Series APs
- Cisco Aironet 1815 Series APs
- Cisco Aironet 1830 Series APs
- Cisco Aironet 1850 Series APs
- Cisco Aironet 2800 Series APs
- Cisco Aironet 3800 Series APs
Resolved Caveats
CSCus83638 Cisco AP 5-GHz radio is stuck – beaconing continues but does not accept client associations.
CSCva32411 Clients losing connectivity when reauthenticates with 802.1x over Cisco 702w AP
CSCvb72192 Cisco 1850 APs running Click OS: IPhone6S fails to connect to adaptive 802.11r WLAN
Ask a Question
From Temur:
“Hello, do you have experience to use EAP-SIM or hotspot 2.0 in hotels or public areas to avoid installation of 3G/4G re translators from GSM providers? The problem is, if there is no 3G coverage in hotel floors, all the providers are installing those ugly antennas at each floor, near to my APs. we have three providers , so imagine what will happen to hotel design if all of them tries to install antennas. Is it possible to use existing WiFi infrastructure to avoid such installations?”
Response
If you’re using Cisco APs, such as the 3700s, you could use the module for cell service.
Best option is to use Wi-Fi calling but you need to verify that it works with your carrier. Some carriers do not support it and also some devices do not support Wi-Fi calling.
The other option is to install a DAS system and have all providers use the same DAS system. This should be possible without having to install antennas for each carrier. Check out CTS050.
WLANCOMP.com
The WLAN Community Compensation Comparison is a survey conducted by Keith Parsons back late last year.
You can compare what would be your revenue if you were to more somewhere else.
On top of this, Keith tweeted a few results from the compensation survey this week:
To anyone using https://t.co/E3P04ziaA4
Correlation is NOT Causation!
Tool is statistically valid – w/nearly 1,000 sets of data. pic.twitter.com/9khYzY577i
— Keith R. Parsons (@KeithRParsons) March 2, 2017
Where you work, and what your certifications are make a huge difference in total possible compensation.
2/7 pic.twitter.com/h5KqaqRb5w— Keith R. Parsons (@KeithRParsons) March 2, 2017
Certifications played a large role in what people earned… yet were NOT statistically significant as a predictor of earnings.
3/7— Keith R. Parsons (@KeithRParsons) March 2, 2017
More years experience, more salary.
But age not on same trajectory more of a curve.
4/7 pic.twitter.com/BbvRW2Zhd3— Keith R. Parsons (@KeithRParsons) March 2, 2017
Vendor supported also had an impact in compensation… as did region. But not statistically able to use in prediction.
5/7 pic.twitter.com/2PAkNzqIba— Keith R. Parsons (@KeithRParsons) March 2, 2017
How many nights spent away from home is a huge predictor of WLAN Professionals compensation.
6/7 pic.twitter.com/IHiGBQqsrJ— Keith R. Parsons (@KeithRParsons) March 2, 2017
802.11eh Patches
Brennan Martin has some cool 802.11eh Canadian Wi-Fi patches. Cost per patch is $6 USD, which is just enough to cover his cost.
WLPC Videos
The videos from WLPC Phoenix 2017 have been released. Check them out on Keith’s Vimeo page.
Carrier Wave
Other very good blog articles shared on the Carrier Wave Paper this week.
Following up with WLPC:
- Install Spectools on the WLPC Odroid
- Giving back to the community by Rasika